| 1 |
--- e-smith-manager-2.2.0.old/root/etc/e-smith/web/common/cgi-bin/login 2014-02-18 01:29:31.000000000 -0500 |
| 2 |
+++ e-smith-manager-2.2.0/root/etc/e-smith/web/common/cgi-bin/login 2017-01-19 18:39:17.951000000 -0500 |
| 3 |
@@ -130,6 +130,13 @@ |
| 4 |
my $ip_addr = $at->ignore_ip ? undef : $ENV{REMOTE_ADDR}; |
| 5 |
my $redirected = 0; |
| 6 |
|
| 7 |
+my $b = URI->new($back); |
| 8 |
+# If $back domain doesn't match $AUTH_DOMAIN, stop there do not give opportunity to log in |
| 9 |
+my $domain = $AUTH_DOMAIN || $server_name; |
| 10 |
+if ($b->host !~ m/\b$domain$/i) { |
| 11 |
+ $fatal="Bad redirection parameter: \"$back\" is not an authorized redirection.<br />\nYou may be experiencing an attack.<br />\nLogin is not possible on the above URL for your own security.<br />\nPlease manually enter the address you were trying to reach if you followed a link."; |
| 12 |
+ } |
| 13 |
+ |
| 14 |
# ------------------------------------------------------------------------ |
| 15 |
# Set the auth cookie and redirect to $back |
| 16 |
my $set_cookie_redirect = sub { |
| 17 |
@@ -157,14 +164,6 @@ |
| 18 |
print $q->header( -cookie => $cookie ); |
| 19 |
#return 0 if $debug; |
| 20 |
|
| 21 |
- my $b = URI->new($back); |
| 22 |
- # If $back domain doesn't match $AUTH_DOMAIN, pass ticket via back GET param |
| 23 |
- my $domain = $AUTH_DOMAIN || $server_name; |
| 24 |
- if ($b->host !~ m/\b$domain$/i) { |
| 25 |
- $back .= $b->query ? '&' : '?'; |
| 26 |
- $back .= $at->cookie_name . '=' . $tkt; |
| 27 |
- } |
| 28 |
- |
| 29 |
# For some reason, using a Location: header doesn't seem to then see the |
| 30 |
# cookie, but a meta refresh one does - weird |
| 31 |
print $q->start_html( |
Parent Directory
| 
Revision Log
| 
Revision Graph
